Summary and next steps
Passkeys don’t have to be intimidating. Passlock abstracts registration and authentication into a simple process. You use the client library to obtain a code, which you send to your backend for verification. Your backend then exchanges the code to obtain the passkey details. You’ve mastered the basics, but Passlock can do much more.
Recommended next steps…
Testing for browser support
Section titled “Testing for browser support”Most browsers now support passkeys, although some capabilities such as programmatic passkey deletion, updates, and pruning are limited to newer browsers. Don’t assume a function call will succeed, check for any errors. Alternatively use helper functions such as isPasskeySupport, isPasskeyDeleteSupport, isPasskeyUpdateSupport, and isPasskeyPruningSupport to preemptively test for browser support.
Local JWT verification
Section titled “Local JWT verification”The examples in this quick start guide use the code exchange flow. Whether you use the server library, or make the call directly, ultimately you’re making a network call to verify the passkey. An alternative to code exchange is local id_token (JWT) verification. This avoids the need for a network call as the JWT is verified locally.
Local user re-authentication
Section titled “Local user re-authentication”Passkeys include a concept known as user verification which allows the device to re-authenticate the user locally (typically through Face ID / Touch ID) before presenting the passkey.
Patterns and best practice
Section titled “Patterns and best practice”Passkeys can be used as a primary authentication strategy (replacing passwords), as an alternative login mechanism, or as a secondary authentication factor. Please see the authentication patterns guide
Tenancies
Section titled “Tenancies”Passlock includes multiple isolated tenancies. The development tenancy has some special characteristics to improve the developer experience. Learn how it differs from your staging and production tenancies.